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I would like to start my tenure as editor of the Logic Column by thanking Jon Riecke, who has 
edited this column since 1998. The Logic Column serves as a showcase of the many connections 
between logic and computer science. Logic has been connected with computer science since the 
early days of Turing. In the past few decades, logical methods have had a considerable impact. To 
get a sense of the range of applications, consider the 2001 NSF/CISE Workshop on The Unusual 
Effectiveness of Logic in Computer Science (see http://www.cs.rice.edu/~vardi/logic/). An 
article derived from the workshop appeared in the Bulletin of Symbolic Logic [Halpern et al. 2001], 
and it is an exceedingly good read. If you get a copy of that issue of the Bulletin, make sure to also 
have a look at the article by Buss et al. [2001], which discusses the current state of mathematical 
logic. 

If you have any suggestion concerning the content of the Logic Column, or even better, if you 
would like to contribute by writing a survey or tutorial on your own work or topic related to your 
area of interest, feel free to get in touch with me. Topic of interest include, but are not limited to: 

• recent results on logic in general, and in applications to computer science in particular; 

• reviews of research monographs and edited volumes; 

• conference reports; 

• relevant results and connections with other fields that make use of logical methods, such as 
mathematics, artificial intelligence, linguistics, and philosophy; 

• surveys of interesting uses of logical methods in computer science. 

And while we are on the topic of logical methods in computer science, let me take this oppor- 
tunity to advertise a new online journal, aptly called Logical Methods in Computer Science. See 
http://www.lmcs-online.org/ for more details. 



Modeling Confidentiality 

First-time novelists write transparently autobiographical novels; first-time columnists write about 
what they do. Therefore, this article will be about logical methods applied to security, a topic I 
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ACM SIGACT News 



1 



December 2004 Vol. 35, No. 4 



have been involved with for the past few years. The goal is to illustrate a feature of logical methods: 
to unify under the umbrella of a formal language seemingly distinct notions that share a common 
intuition. Some of the results I report reflect ongoing work in collaboration with Sabina Petride, 
of Cornell University. 

There are a number of important concepts in security: confidentiality (keeping data secret), au- 
thentication (proving identity or origination), integrity (preventing data modification), and others. 
In this article, I will focus on confidentiality, arguably one of the core concepts. There are many 
views on confidentiality in the literature, with many corresponding definitions, in many different 
guises. My goal here is to show that these definitions can essentially be understood as follow: they 
capture the fact that unauthorized agents do not know anything about confidential data. The vari- 
ations between definitions concern the kind of data being protected, and the properties of the data 
that are meant to remain unknown. The setting where the various definitions will be interpreted 
is a setting where we can make sense of such knowledge, in a pleasantly abstract way. 

The first step is to specify what we mean by an unauthorized agent. Generally, security is studied 
in an adversarial setting, that is, in the presence of an adversary. Given our focus on confidentiality, 
we assume that the adversary seeks to circumvent confidentiality, and obtain information about 
the confidential data. To simplify our problem slightly, we assume that confidentiality is meant 
to be enforced against such an adversary, and thus that ensuring confidentiality means that the 
adversary does not know anything about a confidential piece of data. 

The second step is therefore to capture the knowledge of the adversary in some general way. A 
particularly successful formalization of knowledge is due to Hintikka [1962], and has been applied 
to many fields of computer science; see Fagin et al. [1995] for a survey. The formalization relies 
on the notion of possible worlds: a possible world is, roughly speaking, a possible way in which the 
world could be. To drive the intuition, consider the following situation. Suppose I witness Alice 
murdering Bob in the library, and suppose that it is a matter of fact that Alice used a fire poker, 
but for whatever reason, I did not notice the murder weapon that Alice used. Thus, there are (at 
least) two worlds that I consider as possible alternatives to the actual world: the actual world itself, 
where Alice used a fire poker, and a world where Alice used, say, a brick. I cannot be said to know 
that Alice murdered Bob using a poker, since from my point of view, it is possible that Alice did 
not: there is a world I consider possible where Alice used a brick. On the other hand, I can be said 
to know that Alice is a murderer, since it will be the case at every world I consider possible.^ Thus, 
I can be said to know a fact at a world if that fact is true in all the worlds I consider possible at 
that world. 

To reason about possible worlds and the knowledge of an agent with respect to these worlds, we 
use epistemic frames. An epistemic frame is a tuple F = (W, /C), where is a set of possible worlds 
(or states) and Kis a, relation on W that represents the worlds that the agent considers as possible 
alternatives to other worlds; {w,w') G /C if the agent consider w' as a possible world at world w. 
We often use the notation IC{w) for {w' \ {w,w') G /C}. We identify a fact with the set of worlds 
where that fact holds. Thus, a fact is a subset S of W. Following the intuition above, we say a fact 
S is known at a world u; if 5 C ]C{w), that is, if at every world that the agent considers possible at 
world w, the fact S holds at that world. To model the situation in the previous paragraph, consider 
a simple epistemic frame with three worlds W = {wi,W2,W3}, where wi is the world where Alice 
murdered Bob in the library with a poker, W2 is the world where Alice murdered Bob in the library 

^This is under the assumption that I am not subject to illusions, or hallucinations, of course. Philosophers are fond 
of such counterexamples, which reveal implicit assumptions about the world that may affect our reasoning. When 
applying these ideas to computer science, we shall assume that our models take into account everything relevant to 
establish knowledge, including such implicit assumptions. 
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with a brick, and is the world where Ahce did not murder Bob. Thus, the fact Gi = "Ahce 
murdered Bob in the hbrary" is represented by the set {wi,W2}, and the fact G2 = "Ahce murdered 
Bob with a poker" is represented by the set {wi}. By assumption, the worlds I consider possible 
at wi are {wi,W2}, and thus }C{wi) = {wi,W2}- Since }C{wi) = {wi,W2} C Gi, I know the fact 
Gi, but since JC{wi) = {wi,W2} ^ {wi}, I do not know G2. 

The framework can be easily extended to reason about the knowledge of multiple agents. It 
suffices to provide a relation /Cj to every agent i. In this article, since we shall focus on confidentiality 
with respect to only a single adversary, we only need to reason about the adversary's knowledge. 
This has the advantage of simplifying the framework and the notation. Of course, our discussion 
can be expanded to deal with multiple agents. In fact, we will assume multiple agents, but only 
model the knowledge of the adversary. 

Epistemic frames describe the structure of the model that we want to reason about. They have 
been quite successful in fields such as economics, where they are used to reason about the knowledge 
of economic agents [Aumann 1999]. While a lot can be done purely at the level of the model, one 
big advantage in casting a situation in epistemic frames is that we can define a formal language 
to let us do the reasoning without having to explicitly manipulate the worlds of the model. The 
language of epistemic logic starts with a set of primitive propositions $0 (describing the basic facts 
we are interested in reasoning about), and forming more general formulas using conjunction (f Atp, 
negation -K/J, and knowledge formulas of the form Kip, read "the agent knows (/?". In order to 
interpret this language in an epistemic frame, that is, to say when a formula of the language is true 
at a world of the frame, we need to add an interpretation tt stating which primitive propositions 
are true at which worlds. An epistemic structure (also known as a Kripke structure) is a tuple 
M = {W,IC,7r), where {W,IC) is an epistemic frame, and vr is an interpretation. The truth of a 
formula (/? at a world w of structure M, written (M, w) \= cp, is established by induction on the 
structure of cp: 

(M, w) \= p if p & -k{w) 

(M, w) ^ -^p if (M, w)^p 

{M,w) \=pAil^ if (M, w) \=(p and (M, w) \= ijj 

(M, w) \= Kp if for all w' G K{w), (M, w') ^ ^p. 

The semantics for primitive propositions shows the role of the interpretation. The semantics of 
negation and conjunction are the obvious ones. The semantics of knowledge formulas follows the 
intuition outlined above: a formula is known at a world w if it is true at all the worlds the agent 
considers possible at w. We write M \= ip li {M,w) \= p for all worlds w. 

We therefore have two tools to reason about the knowledge of agents: a way to model the 
system with a notion of possible worlds, and a language to express properties of the system. These 
two tools come together when applying the framework to capture various notions of confidentiality 
in the literature. 

Rather than using epistemic structures in their full generality, we focus on a particular class of 
structures, inspired by the multiagent systems often used to model distributed systems. We assume 
a number of agents (named 1 to n, for simplicity), including an adversary, named adv. We assume 
that every agent (including the adversary) is in some local state at any global state of the system. 
We take as the worlds of our model the global states of the system. We furthermore assume that 
the environment acts like an agent, and has its own local state, to account for the information that 
needs to be maintained but is not kept in the local state of any agent. Thus, a global state is a 
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tuple (sg) Sadv, si, ■ ■ ■ , Sn), where Sg is the local state of the environment, s^^^ is the local state of the 
adversary, and Sj is the local state of agent i S {1, . . . ,n}. Intuitively, the local state of an agent 
represents the part of the global state that he can observe. Thus, if an adversary has the same 
local state in two global states s,s', then at state s, he should consider state s' as a possible global 
state, since he can observe exactly the same local state in both cases. In other words, the basic 
possible worlds relation for the adversary (called an indistinguishability relation since it is based on 
the idea of distinguishing local states) we consider is the state-identity relation /C , which holds 
between two states if the adversary has the same local state in both states. Formally, (s, s') G JC'"'"'' 
if only only if s^dv = ^'adv- While wc will find it useful to customize the indistingTiishability relation 
of the adversary to control what he can observe, especially when dealing with cryptography, we 
shall always assume that the adversary cannot distinguish two states where he has the same local 
state. Thus, if /C is an indistinguishability relation for the adversary, we have (s, s') G K. whenever 
Sadv = s'^dv^ that is, /C'"""' C /C. Putting this all together, we define an adversarial frame as a tuple 
F = {S,1C), where 5 is a set of global states, and /C is an indistinguishability relation for the 
adversary with /C'"'"'' C fC. Similarly, an adversarial structure is a tuple M = (S, IC, tt) where {S, K) 
is an adversarial frame, and tt is an interpretation. Since adversarial structures are just epistemic 
structures, we can interpret an epistemic language over adversarial structures, where the knowledge 
operator captures the knowledge of the adversary. 

We now explore how we can use this framework to explicate many definitions of confidentiality 
used in the security literature. As we shall see, all the definitions will be captured semantically, that 
is, by describing appropriate conditions on adversarial structures, as well as describing appropriate 
indistinguishability relations for the adversary. Moreover, we will give an interpretation to these 
semantic conditions in terms of formulas of an epistemic logic. Roughly speaking, this interpretation 
means the adversary never knows a particular class of formulas; these formulas represent properties 
of the data defined to be confidential. 

Confidentiality and Information Flow 

A particular form of security is to ensure the confidentiality of information among users at dif- 
ferent security levels. (This is often called multilevel security.) An example is the stereotypical 
classification of users (and data) in military systems, where security levels include "unclassified", 
"classified", and "top-secret"; users at a given level can access information marked at that level, 
and at lower levels. The model of the world is that these users share the same system, and the 
goal is to prevent the system from leaking information about the high-level secrets to lower levels. 
Generally, these security levels form a hierarchy [Denning 1976]. Consider the following example. 
A company operates a large computer network. Alice, the CEO, has access to all the data in the 
company. Bob, a consultant, uses the same system, but has restricted access. The company would 
like to ensure that Bob cannot gain any information about some of the high-level data that Alice 
enters in the system. That is, the company would like to prevent any sort of flow of information 
from high-level data to low-level users. In this setting, a confidentiality property specifies which 
fiows of information are allowed, and which are forbidden. The most general form of confidentiality 
is to forbid any kind of information to flow from the high-level users to lower-level users. In the 
discussion that follows, I will suppose that there arc only two classes of security levels, high and 
low, with the adversary being a low user; however, the ideas readily generalize to multiple security 
levels. 

The general approach goes back to the notion of nondeducibility introduced by Sutherland 
[1986]. Halpern and O'Neill [2002] have formalized this notion (and others) using possible worlds 
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and epistemic logic. I describe one of their results in this section. To a first approximation, the 
intuition is that the low agent should not be able to rule out possibilities as far as the interesting 
part of the local state of the high agents is concerned. To capture the interesting part of the local 
state of the high agents, define an information function for agent z to be a function / on global 
states that depends only on agent i's local state, that is, /(s) = /(«') if Si = s'-. 

If an information function for agent i describes the interesting aspects of the local state of agent 
i that he seeks to keep confidential, then we can define /-secrecy with respect to the adversary:^ 
agent i maintains f -secrecy in an adversarial frame F if for all global states s and all values v in 
the image of /, 

JCis)nf-\v)^0. 

In other words, the adversary considers all values of / possible, at every global state. 

This fairly simple semantic characterization can be captured syntactically, using the epistemic 
logic described earlier, in a way that relates to the adversary's knowledge about the high-level 
state. Let <I>o be an arbitrary set of primitive propositions. If / is an information function for agent 
i, a formula (/9 in M is said to be f -local if it depends only on the value of /, that is, whenever 
f{s) = f{s'), then (M, s) \= if ii and only if (M, s') \= ip. Thus, in some sense, is a proposition 
that captures a property of the value of /. Of course, we have to account for the possibility that 
if is completely trivial. Say (p is nontrivial in M if there exists s, s' such that (M, s) \= (p and 
(M, s') \= -^(f. The following result is proved by Halpern and O'Neill [2002]. 

Theorem 1. Let F = {S,)C) be an adversarial frame. Agent i maintains f -secrecy in F if and 
only if, for every interpretation ir, if (f is f -local and nontrivial in M = [S, /C, tt) then M \= -^Kip. 

Of course, the characterization of confidentiality above is extremely strong. A more realistic 
form of confidentiality should allow some form of information to leak. Timing information, for 
example, might fit in this category. In general, given any state, the adversary should be able to 
rule out states for the high-level agents that are in the distant past, or the distant future. However, 
formalizing the fact that this kind of information flow is allowed is difficult in practice. It is 
not obvious how to distinguish allowed timing information flow from attacks that rely on timing 
channels [Wray 1991]. 

Similarly, there are cases where we must permit the declassification of some data in order for 
the system to be able to perform useful work. The classical example used in the literature is a 
password-checking program: a program that prompts the user for a password, and logs him or her 
in if the password is correct. Assume the password is a high-level piece of data. If an adversary tries 
to login with password p and fails, he has gained information about the true password, namely, that 
it is not p. Most work in information flow in the past few years has aimed at understanding this 
notion of declassification of data [Pettier and Conchon 2000; Zdancewic and Myers 2001; Chong 
and Myers 2004]. 

Finally, there are many ways in which the above definitions are insufficiently precise. For one, 
they do not take the likelihood of states into account. Assume that the adversary initially believes 
that all the states of the agents are equally likely. If after some interaction with the system, the 
adversary still believes that all the high-level states are possible, but one is overwhelmingly more 
likely than the others, then one could easily argue that there there has been information leakage, 
although the above definitions do not capture it. Handling these kind of flows requires more 

^Strictly speaking, /-secrecy is defined with respect to any agent, but we already established that we care only 
about the adversary in this article. 
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quantitative forms of information flow properties [Gray and Syverson 1998; Halpern and O'Neill 
2002]. 

Confidentiality and Symbolic Cryptographic Protocol Analysis 

One thing that the framework of the last section did not take into account is the use of cryptography 
to hide data from the adversary. Defining confidentiality in the presence of cryptography is more 
challenging. This form of confidentiality is sometimes studied in the literature when considering 
cryptographic protocols, that is, protocols between agents that aim at exchanging messages with 
some security guarantees, such as ensuring that the messages remain confidential, or that the origin 
of the messages is authenticated. In the information-flow setting, we were interested in reasoning 
about what the adversary could infer about the local state of the high agents. In this section, 
however, the adversary is allowed to intercept messages, as well as forward and inject new messages 
into the system. Wc arc interested in reasoning about what the adversary can infer about the 
messages he has intercepted, despite them being perhaps encrypted. This will be reflected in the 
language used to capture the confidentiality specification: to capture information fiow, the formulas 
involved in the specification are those whose truth depends on the local state of the other agents; 
for cryptographic protocol analysis, as we shall see, the formulas involved in the specification are 
those whose truth depends on the messages intercepted by the adversary. 

There are a number of notions of confidentiality that have been studied in the cryptographic 
protocol analysis literature. A common one is based on the intuition that the adversary is not able 
to distinguish between states where the agents exchange message m and states where the agents 
exchange some other message m', for all messages m and m'. This is the approach taken, for 
instance, in the spi calculus of Abadi and Gordon [1999]. Phrasing it this way brings us halfway 
to the framework of the last section; however, we need to take into account that the adversary 
should not be able to distinguish encrypted messages for which he does not have the corresponding 
decryption key. This requires a formalization of what the adversary can do to messages. The view 
we take in this section is that an adversary can do anything short of attempting to crack encrypted 
messages. Thus, we treat the particular encryption scheme used by the agents as perfect. (We 
weaken this assumption in the next section.) Such an adversary was first formalized by Dolev 
and Yao [1983]. Roughly speaking, a Dolev- Yao adversary can compose messages, replay them, or 
decrypt them if he knows the right keys. We first define a symbolic representation for messages, 
where we write (mi, 777,2) for the pairing (or concatenation) of mi and m2, and {m}k for the 
encryption of m with k. We write for the inverse key of k, that is, the key used to decrypt 
messages encrypted with k. We then define a relation h, where H \- m is interpreted as saying that 
the adversary can infer message m from a set H of messages. (Intuitively, H is the set of messages 
he has intercepted). This relation is defined using the following inference rules: 

m&H H \- {m}k H \- k~^ H \- {mi,m2) H \- {mi,m2) 
H \- m H \- m H h mi H h m2. 

Thus, for instance, if an adversary intercepts the messages {m}jtj, {ki^}k2, and k2^, he can derive 
m using these inference rules, since 

{{^}ki,{K^}k2:K^} I" 

(The use of a symbolic representation for messages is the source of the name "symbolic crypto- 
graphic protocol analysis" given to this style of protocol analysis.) 
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We can define an indistinguishability relation by following the formalization of Abadi and Ro- 
gaway [2002]. (Similar ideas appear in Abadi and Tuttle [1991] and Syverson and van Oorschot 
[1994].) Intuitively, the adversary cannot distinguish two states if his local state is the same at 
both states, except that we identify encrypted messages for which he does not have the key, to 
capture the intuition that he cannot distinguish encrypted messages. For simplicity, assume that 
the local states s^^^ of the adversary simply consist of sets of messages (intuitively, the messages he 
has intercepted, along with any initial messages, such as public keys.) 

Given a message m and a set of keys K, let \rn\K be the result of replacing every indecipherable 
message in m by □. Formally, define 

\p\k =P 
[k\K = k 

[{■mi,m2)\K = {[mi\K, [m2\K) 

□ otherwise. 



K 



It is easy to check that m' is a submessage of [mji^: if and only if KU {m} h m'. We extend [—J to 
sets of messages H by taking [H\k = {[m\K \ rn € H}. Define Keys{H) = {k\ H \- k}. Finally, 
define the indistinguishability relation /C* by taking (s,s') G X^* if and only if [Sa^^J/i- = [s^d^Jif', 
where K = Keys{Sadv) and K' = Keys{s'^^^). In other words, the adversary cannot distinguish 
two states in which he has intercepted different messages, where the only difference between these 
messages occurs in the content of encrypted messages for which he does not have the decryption 
key. 

Wc restrict our attention to message-transmission protocols^ protocols in which the goal is for 
agent 1 to send a message to agent 2 in a confidential way. We assume that the adversary can 
intercept messages from the network, and can also forward and inject messages into the network. 
We can associate with a protocol P a set 5^ of global states corresponding to the states that the 
protocol goes through upon execution (including states that result from the adversary intercepting, 
forwarding, or injecting messages). Wc assume that the global states in Sp include states for all 
the possible messages that could be sent. If M is the set of all messages that could be sent, and 
m G A^, let G{m) C S'p be the set of global states where agent 1 sends message m to agent 2. We 
say a message-transmission protocol P preserves message secrecy if for all global states s E Sp and 
all messages m & M, 

/C*(s)nG(m) 7^0. 

In other words, every local state of the adversary is compatible with agent 1 having sent any possible 
message m. 

Can we capture this syntactically? Let $o be a primitive vocabulary. Say if depends only on 
the message exchanged by the protocol if (M, s) \= (p and only if (M, s') \= (p, whenever the same 
message is exchanged in both states s and s'. The following result can be proved using techniques 
similar to those used to prove Theorem 1. 

Theorem 2. A message-transmission protocol P preserves message secrecy if and only if, for 
every interpretation ir, if (p depends only on the message exchanged by P and is nontrivial in 
M = (Sp,/C*,7r) then M \= ^Kip. 
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An alternative approach, sometimes used in the htcratiirc, leads to a specification which is 
easier to enforce. This approach uses the h relation directly in the specification. This specification 
essentially says that the adversary cannot derive the content of the message being exchanged. (This 
is the approach taken, for instance, by Casper [Lowe 1998], a protocol analysis tool based on the 
CSP language [Hoare 1985].) Say a message-transmission protocol P preserves message DY-secrecy 
if, at every state s E Sp where the message exchanged is m, 

Sadv ^ rn. 

This specification does not require an indistinguishability relation for the adversary, and this sug- 
gests that it can be captured by a specification that does not use knowledge. Indeed, the spec- 
ification can be captured rather simply if we use the right language. As opposed to the way we 
have been specifying things until now, this time, we fix a particular vocabulary and a particular 
interpretation ttq. Let has{m) be a fixed class of primitive propositions, one per message m, with 
has{m) G 7ro(s) if and only if s^dv l~ rn- Let exchanged{m) be a fixed class of primitive propositions, 
one per message m, with exchanged{m) G vro(s) if and only if m is the message exchanged by 
the protocol at state s. The following result follows immediately from the definition of message 
DY-secrecy. 

Theorem 3. A message-transmission protocol P preserves message DY-secrecy if and only if, 
for the model Mq = (5p,/C, ttq) and all messages m, Mq \= exchanged{m) ^has{m). 

This specification does not use knowledge, and uses a particular model with a fixed interpretation. 
In fact, it can be seen as a form of safety property, following the classification of properties due to 
Alpern and Schneider [1985]. Roughly speaking, a safety property can be checked independently at 
all the points of the system; the truth or falsehood of a formula at a point does not depend on the 
other points of the system. This generally leads to efficient procedures for checking the specification. 
It is possible to refine the approach by considering more general ways for the adversary to derive 
messages, and to formally relate the results to specifications based on knowledge [Halpern and 
Pucella 2002]. 

Confidentiality and Cryptography 

In the last section, the framework let us capture confidentiality in cryptographic protocols, under 
the assumption that the encryption was perfect; we did not allow the adversary to extract any 
information from an encrypted message for which he did not have the decryption key. Of course, 
in reality, encryption schemes are not perfect, and they can possibly leak information about the 
message being encrypted. In this section, we examine how we can capture the confidentiality of 
encryption schemes. 

Cryptography studies, among others, the properties of encryption schemes. Modern cryptogra- 
phy is motivated by two basic tenets. First, encryption schemes are concrete mathematical systems 
that act on strings (often taken to be bit strings). This view leads naturally to finer confidentiality 
properties than simply showing that the adversary cannot recover the message being encrypted. 
Rather, confidentiality should mean that the adversary cannot derive any information about the 
message being encrypted, including, say, that the first bit of the message is a 1. The second tenet 
is that we do not impose any restriction on the computations that the adversary can perform on 
encrypted messages, aside from the fact that they must be feasible computations. Generally, the 
class of feasible computations is the class of probabilistic polynomial time algorithms [Motwani and 
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Raghavan 1995]. The definition of a probabilistic polynomial time algorithm is asymptotic: the 
running time of the algorithm is polynomial in the length of the input. Working with such a defini- 
tion of feasibility is simplified by taking the encryption scheme itself to be defined asymptotically, 
where the parameterization is given by a security parameter. Intuitively, the larger the security 
parameter, the harder it is for an adversary to get information about encrypted messages. 

The basic definition of confidentiality for an encryption scheme is that the adversary learns 
nothing about the content of an encrypted message (except possibly, for technical reasons, infor- 
mation about the length of the plaintext). The definitions we use are essentially due to Goldwasser 
and Micali [1984], but simplified following Goldreich [1998]. In particular, wc assume a encryption 
scheme where the same key is used to encrypt and decrypt messages, and where the encryption 
is probabilistic: encryption with a given key yields a probability distribution over encrypted mes- 
sages. We take E{x) to be the distribution of encryptions of x, when the key is selected at random. 
Moreover, we assume that for a security parameter r/, the keys have length rj, and the scheme is 
used to encrypt messages of length ri^. Thus, we can simply take the security parameter to be the 
length of the keys. These restrictions, and the following definitions, are fairly technical, and I will 
refer to Goldreich [1998, 2001] for intuitions and more in-depth discussions. 

The definition wc use is that of indistinguishability of encryptions, which says that an adversary 
cannot distinguish, based on probabilistic polynomial time tests, whether two messages encrypted 
with a random key are the same message or not, even when provided with essentially arbitrary a 
priori information. Formally, let A be a feasible algorithm (which we assume returns or 1). We 
say a sequence {x^, y,j, Zjj)^, where |a;^| = |y^| = rj^ and [z^l is polynomial in rj, is A-indistinguishable 
if 

1 - Pr [A{E{Xr,), Zr,) = AiE{yr,),Zr,)] 

is a negligible function of r], where f(r]) is negligible in tj if for all polynomials p, f{ri) < l/p{r]) 
for all r). In other words, two sequences are ^-indistinguishable if the adversary cannot really 
distinguish, based on the output of A, whether an encrypted message is an encryption of or of 
yrj, even when provided with arbitrary information Zrj. (For instance, Zrj could be the pair (x^,y^), 
meaning that even when the adversary knows that the encrypted message is the encryption of 
either or y^, he cannot tell which is the actual message that was encrypted.) Note that we 
do not require the probabilities to be equal, but that the difference should not be noticeable by a 
polynomially-bounded observer. 

An encryption scheme is semantically secure if, for all feasible algorithms A, all sequences 
{xrj,yn, Zn)n, where \xrf\ = \yrj\ = rf' and \zrj\ is polynomial in ry, are ^-indistinguishable.^ One of 
the many achievements of modern cryptography is to show that there are encryption schemes that 
arc semantically secure, assuming the existence of mathematical entities such as one-way functions 
[Goldreich 2001]. 

We can translate semantic security of an encryption scheme C into properties in an adversar- 
ial frame, where the states of the adversary are sequences of messages (indexed by the security 
parameter), along with some initial information. Formally, a local state for the adversary is a 
pair ((xjj),,, (zjj),,), where {xr^)r, is the sequence of messages to be encrypted, and (^jj)?, is the se- 
quence of a priori information.. Let Sc be the set of all states where the adversary has such a 
local state. Note that Sc does not directly model a particular protocol between agents; we are 
interested in modeling properties of an encryption scheme, not a protocol. To get an adversarial 
frame, we define an indistinguishability relation /C'^''^'" as follows: take (s, s') € K,"''^^* if and only if 

^Strictly speaking, this is the definition of an encryption scheme having indistinguishabihty of encryptions, which 
can be shown to be equivalent to the traditional definition of semantic security. 
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{xr^iU-q, Zr^)ri IS ^-indistinguishable for every feasible algorithm A, where s^dv = {{xv)v^ i^v)v) 

We can, up to a point, capture semantic security of the encryption scheme using a knowledge 
specification. Let $o be a primitive vocabulary. Say (p depends only on messages but not their 
length in M when the following properties hold: 

(1) if s^dv = then (M, s) \= if if and only if (M, s') \= ip; 

(2) there exists s,s' with s„,,„ = ((x^)r,, (^t,)?,), = iiVv^^ (4)'?)' \^'n\ = M all rj, such 
that (M, s) ^ip and (M, .s') ^ ^(/?. 

The following result follows almost immediately from the definition of semantic security. 

Theorem 4. If an encryption scheme C is semantically secure, then, for every interpretations 
TT, if (f depends only on messages but not on their length and is nontrivial in M = {Sc,IC'"^''*,n) 
then M \= ^Kip. 

This formalizes one intuition behind semantic security, namely that it ensures the adversary 
cannot derive any (nontrivial) knowledge about the content of encrypted messages, except perhaps 
their length. It is not clear how to get the other direction of the implication without making 
stronger assumptions on the language or the models. 

This result is unsatisfying compared to the results of the previous section as far as it concerns 
reasoning about protocols. In particular, the states of the models are more "artificial" , and do 
not correspond directly to states that arise during the execution of a protocol. A more interesting 
result would be to characterize the knowledge of an adversary in the context of message-transmission 
protocols implemented using an encryption scheme with a property such as semantic security. This 
is an active research area. Some results have been obtained using techniques from programming 
languages [Lincoln, Mitchell, Mitchell, and Scedrov 1998; Abadi and Rogaway 2002], and logical 
techniques have been brought to bear on the question [Impagliazzo and Kapron 2003], but no 
connection to knowledge has yet been established, as far as I know. 

Acknowledgments. Thanks to Steve Chong, Joe Halpern, Kevin O'Neill, Sabina Petride, and 
Vicky Weissman for comments. 
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